`firstof` and `cycle` tags do not escapes variables defined in `wth` tag

[Алексей Поклонский]

django version: 4.0.1
Template snippet example:

{% with var0="<script>alert('XSS');</script>" var1="12" %}
{% firstof var0 "123" var1 %}
{% endwith %}

Renders with:

def index(request):
    return render(request, 'polls/index.html')

Rendered result is:

<script>alert('XSS');</script>

Expected output is:

<script>alert('XSS');</script>

In ​docs you noted that firstof will escape variables, but it does not escape them as you can see. And also it does not escape passed string literals. For example:

{% firstof var1 var2 var3 "<script>alert('XSS');</script>" %}

Will result in the same not escaped html with XSS.

The same problem with the cycle tag:

{% with var0="<script>alert('XSS');</script>" %}
{% for var2 in list_var %}
{% cycle var0 "123" %}
{% endfor %}
{% endwith %}

Where list_var is just a context-defined list variable.

Related #17906

[Mariusz Felisiak]

All string literals defined on templates are consider safe. If you can define string literals on templates you can put whatever you want and you don't need XSS vulnerabilities. Therefore, there is no value to auto-escaping them.

For the future, report security issues in private by emailing security@… not via the public issue tracker, see ​docs.

[Mariusz Felisiak]

See ​https://docs.djangoproject.com/en/stable/ref/templates/language/#string-literals-and-automatic-escaping.

[Алексей Поклонский]

Replying to Mariusz Felisiak:

See ​https://docs.djangoproject.com/en/stable/ref/templates/language/#string-literals-and-automatic-escaping.

Ok, big thanks for quick response!

[Алексей Поклонский]

The same problem with the cycle tag.

[Mariusz Felisiak]

Replying to Алексей Поклонский:

The same problem with the cycle tag.

As before, this is not an issue, but a documented and expected behavior.